Top 10 Security Best Practices

Security is hard. It takes dedicated attention, knowledge and meticulous execution. It is also an ongoing process. It's important to educate stakeholders and clarify the state of security, the risks and mitigations. You need to be vigilant and on your toes.

by Gigi Sayfan

Dec 30, 2016

Security has never been more important. Our world is managed by software and algorithms make wide ranging decisions based on data. The reputation of large enterprises can be severely impeded if they suffer a security breach. Losing the trust of customers is a serious issue. Smaller companies can go out of business after such an incident. By following some good advice and best practices you can significantly reduce the risk of being compromised.

It's All in Your Head

Security is a mindset. If you are responsible for security you must realize that it's not all about technology. All complicated systems have human components. You should be mindful that people are very creative in poking holes at the best security policies and procedures. You must plan for human failure at each point. That implies also that you should aim to minimize the possibility of human failure by automating or automatically verifying every action and access.

Data Is Liability

Data is often considered an asset. The big data revolution puts data collection, storage and mining with machine learning on a pedestal. But, data is also a liability. You need to store, it back it up, make it available and migrate it when your storage solutions evolve. At large scale, with distributed data stores, lots of different types of users, integration of legacy systems with modern cloud native applications it is a very challenging task. Securing the data is even harder. Consider very carefully what value you actually derive from your data. Don't subscribe to the "measure everything" approach. In most cases, it is a losing proposition. In addition, data loses its value very quickly. Consider how long do you need to keep historical data. If you process your data as a stream you may enjoy the best of all worlds with processing everything, but keeping very little.

Defense in Depth

If your system is of any significance whatsoever it will be compromised. This is a fact of life. Complex systems evolve all the time. Every little change - deploying a new version of a service, upgrading a package, adding a new server, hiring a new employee, firing an existing employee is a fertile ground for problems, bugs and security breaches. You need to design your security with multiple layers of overlapping checks and balances and constantly run checkers, verifiers and auditors that monitor the system and keep it intact or detect early deviation from the desired state.

KISS

Keep it simple stupid. Defense in depth is difficult and adds overhead of complexity. It adds more moving parts to the system. If you can simplify your overall system architecture then securing it will be easier too. The same mindset applies as with data. Do you really need all that functionality? Does it provide real business value? Also, try to keep a clean house. Get rid of redundancies. Refactor the code. Avoid duplication of functionality across libraries, services and applications.

The Principle of Least Privilege

A user or a program should not have access to more than it needs to perform its job. This can be very annoying at times and cause a lot of friction, but at least in production it is a must. When the compromise happens, you will be equipped much better to contain it, track it back to source and evaluate the potential damage.

Use Sane Authentication Procedures

Users are notoriously unreliable when it comes to managing credentials. User passwords are in general laughably easy to guess. You should employ multi-factor authentication. You should log repeated login failures. You should add delay between login attempts. Don't allow easy to guess passwords. Rotate passwords frequently.

Use HTTPS

HTTPS is HTTP where all the traffic is encrypted (the "S" in the end stands for "Secure"). Today, there is no reason to use HTTP anymore. HTTPS is easy to deploy. Certificate management was never easier. It significantly reduces the attack surface and lets you focus your energy on other difficult security tasks.

Take Care of Your Infrastructure

The infrastructure is the hardware your system is running on, the networking, the operating system and other baseline services. Most complicated systems are built on top of a huge pile of those dependencies. Make sure you patch and update your operating system and other infrastructure services you use like databases, queues and frameworks.

Encrypt Data at Rest and Transit

With modern hardware encryption and decryption is very fast. You should never keep important data unencrypted regardless of how well it is protected. This is a very nice way to reduce the problem of protecting all the data to the problem of encryption key management.

Going Forward

Security is hard. It takes dedicated attention, knowledge and meticulous execution. It is also an ongoing process. It's important to educate stakeholders and clarify the state of security, the risks and mitigations. You need to be vigilant and on your toes.

Gigi Sayfan is the chief platform architect of VRVIU, a start-up developing cutting-edge hardware + software technology in the virtual reality space. Gigi has been developing software professionally for 21 years in domains as diverse as instant messaging, morphing, chip fabrication process control, embedded multi-media application for game consoles, brain-inspired machine learning, custom browser development, web services for 3D distributed game platform, IoT/sensors and most recently virtual reality. He has written production code every day in many programming languages such as C, C++, C#, Python, Java, Delphi, Javascript and even Cobol and PowerBuilder for operating systems such as Windows (3.11 through 7), Linux, Mac OSX, Lynx (embedded) and Sony Playstation. His technical expertise includes databases, low-level networking, distributed systems, unorthodox user interfaces and general software development life cycle.